Personally identifiable information, or “PII,” is information that can be used, either alone or in combination with other information, to uniquely identify a particular person. In the modern computing age, users generate significant amounts of PII in their day-to-day lives, often without awareness that they are doing so, or without appreciating the extent to which the information allows them to be uniquely identified. As devices are able to collect increasingly more data about users (and more sensitive data, such as health information, location information, etc.), privacy concerns about PII are becoming more germane.
Currently, each collector of PII is responsible for informing users what data is being collected and how it is being used and for what purpose. However, with so many different entities collecting, storing, and using a person's PII, it is difficult for people to understand exactly which entities they have permitted to collect their PII, and what those entities are permitted to do with their PII. Many such agreements allow the collector of PII to a fair amount of freedom in usage to do what they choose with the PII, and at any time. Thus, users are typically not in control of who has their PII, how it is being used, and when. Regulators and governments are becoming increasingly aware of this problem, and are looking to enact legislation which will mandates how and which controls be put in place.
Moreover, most agreements governing an entities rights and responsibilities with respect to PII are non-negotiable “take it or leave it” type of agreements—the user must either accept the terms, or forgo using a particular service. For example, the terms of use governing a blood-pressure monitoring application and/or device may authorize the provider to record and store blood-pressure information, and, possibly, share the information with third parties. Such agreements do not allow the user to provide any restrictions, for example, on the when the provider can record data, when the data can be shared, what the data can be used for, or who it can be shared with. Users could simply refuse to agree to the stated terms, but then they will be unable to use the service or device. In other instances, agreements are so complex and long that the majority of users are either unqualified or unable to understand the right they are providing. Such extensive “catch all” user agreements also create an impediment for users to understand or even appreciate the extent of their permissions. Accordingly, users are left with a choice between authorizing sweeping access to sensitive PII, or being unable to use beneficial and valuable modern technologies. For various reasons, users often accept the terms, thus giving up substantial control of sensitive PII.